Intrusion detection systems are used by an enterprise to detect and identify unauthorized or unwanted use (commonly called an attack) of the enterprise's computer network, which normally comprises a large number of nodes and network operations centers (NOCs). In general, these enterprise intrusion detection systems scan incoming data for specific patterns in network traffic, audit trails, and other data sources to detect malicious activity. Due to the large quantity of data, conventional intrusion detection systems often use many analysts to evaluate network data with various tool implementations for identifying the patterns, such as finite state machines, simple pattern matching, or specialized algorithms.
Current enterprise intrusion detection systems (IDSs) often overwhelm analysts with data due to poor data aggregation, correlation, and presentation. To overcome this shortcoming, an enterprise using a traditional IDS is faced with decisions that weaken the effectiveness of the IDS and/or are expensive to implement. For example, the enterprise may limit the information collected by the IDS. In another example, intrusion signatures that occasionally produce false alerts may be removed from the IDS. Other changes include not reporting alerts of a lower priority level or reducing the number of nodes. If the enterprise is unwilling to reduce the effectiveness of its conventional IDS, then the enterprise normally must hire additional expensive analysts to view the desired information that is overwhelming the current staff.